1881218 – unable to run RHEL6 container in RHEL 8.3 (container-selinux not installed with podman)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1881218 - unable to run RHEL6 container in RHEL 8.3 (container-selinux not installed with podman)

Summary: unable to run RHEL6 container in RHEL 8.3 (container-selinux not installed wi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jindrich Novy
QA Contact:	Joy Pu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-21 20:23 UTC by Jakub Jelen
Modified:	2023-09-15 00:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	podman-2.1.1-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-16 14:21:45 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Jakub Jelen 2020-09-21 20:23:52 UTC

Description of problem:
With the update to RHEL 8.3 I am no longer able to run containers using podman. It turned out that installation of podman did not trigger installation of container-selinux for some reason, which makes any containers operation impossible without much pointers whats wrong.

Version-Release number of selected component (if applicable):
podman-2.0.0-0.9.rc7.module+el8.3.0+7084+c16098dd.x86_64
selinux-policy-3.14.3-48.el8.noarch

How reproducible:
always

Steps to Reproduce:
0. Latest RHEL 8.3 compose installation
1. [root@RHEL-8-3-0-20200909-1 ~]# dnf install podman
...
... not installing container-selinux
...
2. [root@RHEL-8-3-0-20200909-1 ~]# podman run -it rhel6:6.10 /bin/bash

Actual results:

Trying to pull registry.access.redhat.com/rhel6:6.10...
Getting image source signatures
Copying blob 727cd7ac3772 done  
Copying blob 9c279408dd9d done  
Copying config 1020f27b5b done  
Writing manifest to image destination
Storing signatures
[root@RHEL-8-3-0-20200909-1 ~]# echo $?
127
... no reasonable error message -- just exit code ...

Expected results:
getting shell from the RHEL 6 container as it used to work in RHEL 8.2 and how it works with proper dependencies installed.

Additional info:
logs
[root@RHEL-8-3-0-20200909-1 ~]# ausearch -m AVC -ts recent
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.120:192): proctitle="/bin/bash"
type=EXECVE msg=audit(1600719596.120:192): argc=1 a0="/bin/bash"
type=SYSCALL msg=audit(1600719596.120:192): arch=c000003e syscall=59 success=yes exit=0 a0=c0000c5860 a1=c00020d850 a2=c000090570 a3=a items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
type=AVC msg=audit(1600719596.120:192): avc:  denied  { read write } for  pid=9997 comm="bash" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=system_u:object_r:container_file_t:s0:c232,c620 tclass=chr_file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:193): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:193): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba05d9000 a1=1ff000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:193): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libtinfo.so.5.7" dev="dm-0" ino=16932394 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:194): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:194): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba03ba000 a1=200000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:194): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libdl-2.12.so" dev="dm-0" ino=16932625 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:195): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:195): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba01af000 a1=1ff000 a2=0 a3=1 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:195): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libc-2.12.so" dev="dm-0" ino=16932467 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
----
time->Mon Sep 21 20:19:56 2020
type=PROCTITLE msg=audit(1600719596.121:196): proctitle="/bin/bash"
type=SYSCALL msg=audit(1600719596.121:196): arch=c000003e syscall=10 success=no exit=-13 a0=7f8ba03ae000 a1=4000 a2=1 a3=7f8ba09fefd8 items=0 ppid=9985 pid=9997 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="bash" exe="/bin/bash" subj=system_u:system_r:container_t:s0:c232,c620 key=(null)
type=AVC msg=audit(1600719596.121:196): avc:  denied  { read } for  pid=9997 comm="bash" path="/lib64/libc-2.12.so" dev="dm-0" ino=16932467 scontext=system_u:system_r:container_t:s0:c232,c620 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Comment 2 Jindrich Novy 2020-09-22 06:08:19 UTC

This one is actually a feature. See bug 1806044. The container-selinux package is a soft dependency of podman. The motivation is to reduce the overall size of podman related images as hard dependency on container-selinux pulls in bulky selinux-policy.

The proposed solution to what you see is to install soft deps together with podman. This will be documented in the release notes.

Comment 3 Jakub Jelen 2020-09-22 07:28:23 UTC

Really? Is there anything podman can do without the policy (well ... assuming selinux is enabled)? I am afraid this will cause a lot of pain as it causes weird issue without any reasonable error messages.

Would it make sense to modify podman to check this at runtime, if selinux is enabled to warn a user that the policy is missing and nothing will work?

Comment 4 Jindrich Novy 2020-09-22 07:34:12 UTC

Sounds good. Matt, does comment #3 sound like a good feature for 8.3.1 and later?

Comment 5 Ondrej Mosnacek 2020-09-22 07:49:03 UTC

Maybe podman should have:

Requires: container-selinux if selinux-policy

(At least I hope boolean dependencies [1] work in RHEL-8...)

[1] https://rpm.org/user_doc/boolean_dependencies.html

Comment 6 Jindrich Novy 2020-09-22 08:46:54 UTC

Yes, Ondrej Moskacek, this makes sense. Leaving it upon Matt to decide whether runtime check is a good thing to do.

Proposing this for 8.3.1.

Comment 7 Jindrich Novy 2020-09-22 08:48:39 UTC

https://pkgs.devel.redhat.com/cgit/rpms/podman/patch/?id=0538626d5f57c8e511628900ea44cb4e79abf2cd

Can we get qa ack please?

Comment 8 Matthew Heon 2020-09-22 13:31:59 UTC

I defer the question about a runtime check to Dan Walsh and his superior knowledge of SELinux, but this sounds like a good idea to me.

Comment 9 Jakub Jelen 2020-09-24 11:17:57 UTC

The same issue is also in Fedora packages. Do you need separate bug for Fedora or can you pull the same change there too?

Comment 10 Jindrich Novy 2020-09-24 11:26:17 UTC

Yes Jakub, Fedora packages are maintained by Lokesh, not me.

Comment 11 Ondrej Mosnacek 2020-09-24 11:34:59 UTC

But you can submit a pull request, no? What about the "upstream first" principle?

Comment 12 Jakub Jelen 2020-09-24 12:39:01 UTC

Fedora Pull request: https://src.fedoraproject.org/rpms/podman/pull-request/39

Comment 13 Michele Baldessari 2020-09-30 14:11:22 UTC

(In reply to Jindrich Novy from comment #7)
> https://pkgs.devel.redhat.com/cgit/rpms/podman/patch/
> ?id=0538626d5f57c8e511628900ea44cb4e79abf2cd
> 

I believe that:
-Recommends: container-selinux
+Requires: container-selinux if selinux-policy

Needs to be "Requires: (container-selinux if selinux-policy)"

From the guide ' Boolean Expressions are always enclosed with parenthesis.'

In fact the current podman-2.1.1-1.module+el8.3.1+8253+050ebf3c.x86_64.rpm build is not installable as it has all the requirements now:
$ rpm -qp --requires podman-2.1.1-1.module+el8.3.1+8253+050ebf3c.x86_64.rpm |grep -e if -e selinux
container-selinux
if
selinux-policy

Comment 15 Tom Sweeney 2020-09-30 21:06:08 UTC

Dan/Jindrich,

Thoughts on Michele's comment?  https://bugzilla.redhat.com/show_bug.cgi?id=1881218#c13

Comment 16 Michele Baldessari 2020-10-01 06:31:01 UTC

(In reply to Tom Sweeney from comment #15)
> Dan/Jindrich,
> 
> Thoughts on Michele's comment? 
> https://bugzilla.redhat.com/show_bug.cgi?id=1881218#c13

It's been fixed in  podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 and is installable again, thanks!

Comment 17 Jindrich Novy 2020-10-01 07:19:34 UTC

Thanks Michele. The podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 in the rhel8 test branch now contains the fix for the boolean dep. Let's give it some testing.

Comment 19 Tom Sweeney 2020-10-01 18:12:40 UTC

As it looks like Jindrich has the fix in hand, I'm going to change this to POST for any futher packaging needs and BZ changes.

Comment 20 Michele Baldessari 2020-10-02 15:29:51 UTC

(In reply to Jindrich Novy from comment #17)
> Thanks Michele. The podman-2.1.1-2.module+el8.3.1+8286+0ceb9ba9 in the rhel8
> test branch now contains the fix for the boolean dep. Let's give it some
> testing.

Just as a quick drive-by info, podman-2.1.1-2 has worked well in my OSP testing so far. You all have a nice weekend!

Comment 27 Joy Pu 2020-11-11 15:42:26 UTC

Checked with podman-2.1.1-3.module+el8.3.1+8686+2a59bca3.x86_64 and the dependency is already updated. So set this to verified. Details:
# yum deplist podman
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 0:12:59 ago on Wed 11 Nov 2020 10:26:48 AM EST.
package: podman-2.1.1-3.module+el8.3.1+8686+2a59bca3.x86_64
  dependency: (container-selinux if selinux-policy)
   provider: container-selinux-2:2.151.0-1.module+el8.3.1+8686+2a59bca3.noarch
...

Comment 29 errata-xmlrpc 2021-02-16 14:21:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0531

Comment 30 Red Hat Bugzilla 2023-09-15 00:48:30 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.